0

I have Windows 11 installed on an NVMe SSD, installed in an SSD enclosure, as a Windows To Go live image. I did this with Rufus. I typically use it on my work laptop (Windows 10 Ent with BitLocker & TPM) so I can be a cheapskate and not have to buy my own laptop, but I can have my own, isolated, Windows installation.

It works very well - I use my work laptop as usual during work hours, then in the evenings and weekends I can live boot into my own Windows 11 instance. What is strange though is how BitLocker seems to be configured on the live instance.

I have never asked for BitLocker protection on the live instance, and I am never asked for a PIN when booting. However if I go to the BitLocker settings screen within Windows, it shows as a BitLocker protected volume, with all the options which would normally be available on a protected volume (suspend, print recovery key etc).

The key protectors in use are TPM and Numerical Password.

If I connect the drive when booted into the installed Windows 10 instance, it shows as a BitLocker protected volume. I can access it, but only with the recovery key - it never asks me for a PIN.

I should note that this isn't causing me any issues, and the question is simply out of curiosity of how BitLocker is being handled on this volume.

Improve this question
2
  • 1
    Which BitLocker protector is being used, please edit your question, to include this vital necessary information
    – Ramhound
    Commented Oct 19, 2022 at 15:29
  • @Ramhound Think I've added the info you ask for - TPM and Numerical Password. Please let me know if this isn't what you meant, and thanks for the comment
    – Jonny Wright
    Commented Oct 19, 2022 at 15:46

2 Answers 2

Reset to default
1

If I connect the drive when booted into the installed Windows 10 instance, it shows as a BitLocker protected volume. I can access it, but only with the recovery key - it never asks me for a PIN.

Your Windows To Go install is using the fTPM of this specific device which means the key is handled by the TPM. This explains the reason the recovery key is required on a different device.

If I am not mistaken the numerical pin would be the pin used to access the account you created. You can prevent NOT needing the numerical pin by removing the TPM protector.

Improve this answer
0

The behavior is correct and expected. Problem is: if you connect your windows2go to any other machine (no matter if you boot from it or use it just as portable storage), you will need to enter the numerical (48 digits) password. That is, although you might find it disturbing, again expected behavior.

You should add a password protector if you would like to avoid entering 48 digits. To do so, you would need to remove the TPM protector, first.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .